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ff^ . Abstract 

■ In the context of public key cryptography, the McEhece cryptosystem represents a very 

, smart solution based on the hardness of the decoding problem, which is believed to be able 

O ■ to resist the advent of quantum computers. Despite this, the original McEliece cryptosystem. 



based on Goppa codes, has encountered limited interest in practical applications, partly because 
of some constraints imposed by this very special class of codes. We have recently introduced a 
variant of the McEliece cryptosystem including low-density parity-check codes, that are state- 



> 

00; 

. of-art codes, now used in many telecommunication standards and applications. In this paper, 

■ we discuss the possible use of a bit-flipping decoder in this context, which gives a significant 
advantage in terms of complexity. We also provide theoretical arguments and practical tools 
for estimating the trade-off between security and complexity, in such a way to give a simple 

■ procedure for the system design. 

I. Introduction 

In recent years, a renewed interest has been devoted to the McEliece cryptosystem [H, which 
is one of the most attractive options for post-quantum public key cryptography. It exploits error 
correcting codes to obtain both the private and the public key. Its security relies on the difficulty 
of decoding a linear code. More precisely, two kinds of attacks can be mounted against this 
system. The first one aims at retrieving the private key from the public key, while the second 
one tries to recover the cleartext from the ciphertext, without the knowledge of the private key. 
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For the reasons that will be explained in Section |lVl we are more interested in the attacks of 
the second kind that, taking into account the McEliece cryptosystem principle, basically consist 
in obtaining the error vector that affects a codeword of an (n, A:)-linear block code. Since such 
problem is also equivalent to finding a minimum weight codeword in an (n, + 1) -linear block 
code, the McEliece cryptosystem can be attacked by means of algorithms aimed at finding low 
weight codewords. 

The original version of the McEliece cryptosystem, based on binary Goppa codes with 
irreducible generator polynomials, is faster than the widespread RSA cryptosystem. However, it 
has two major drawbacks: large keys and low transmission rates, the latter being coincident with 
the code rates. The McEliece cryptosystem uses generator matrices and encodes the messages 
into codewords of Goppa codes. A variant proposed by Niederreiter [2|, still based on Goppa 
codes, exploits instead parity-check matrices and encodes the messages into syndrome vectors. 
This allows to reduce the size of the public key and to slightly increase the transmission rate. 
Additionally, the number of operations for encryption is significantly lowered, though this is 
paid with a slight increase in the number of operations for decryption. 

However, the most effective way to overcome the drawbacks of the McEliece cryptosystem 
would be to replace Goppa codes with other families of codes, yielding a more compact repre- 
sentation of their characteristic matrices, and permitting to increase the code rate. Unfortunately, 
although several families of codes with such characteristics exist, only in very few cases it is 
possible to replace Goppa codes without incurring into serious security flaws |[3l. Bl. 

Among the most recent proposals, Quasi-Cyclic (QC) [51, Quasi-Dyadic (QD) Q and Quasi- 
Cyclic Low-Density Parity-Check (QC-LDPC) codes l?] have been considered for possible 
inclusion in the McEliece cryptosystem and also in symmetric key secure channel coding 
schemes jSl. However, the solutions Q and [51 have been successfully attacked [9l, [TOl . 
An updated variant of the quasi-dyadic solution has been recently proposed in [TTl . and it 
should be more secure; however, the complexity of the attack in |10] for the binary QD case 
is still open, and work is in progress on such issue. 

Concerning LDPC codes, they were initially thought to be unable to give significant advan- 
tages, due to the fact that the sparse nature of their matrices cannot be exploited for reducing the 
key size [Til . Furthermore, adopting very large codes was found to be necessary for avoiding 
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that the intrinsic code sparsity is exploited by an attack to the dual of the public code |[T3l . 
However, it has also been shown that, by replacing the permutation matrix used for obtaining 
the public key with a more general transformation matrix, the code sparsity can be hidden and 
the attack to the dual code avoided Unfortunately, the proposal in [il4il still used only 
sparse transformations, which exposed it to a total break attack ifTSl . Subsequently, however, 
we have presented a simple modification that allows to avoid such flaw, so obtaining a QC- 
LDPC codes-based cryptosystem that is immune to any known attack llT6l . Such variant of the 
cryptosystem is able to reduce the key size with respect to the original version and to achieve 
increased transmission rate. Moreover, the size of its public keys increases linearly with the 
code dimension; so, it scales favorably when larger keys are needed for facing the increasing 
computing power. 

In this paper, we elaborate on our last proposal, first by introducing bit-flipping decoding for 
the QC-LDPC codes, which yields a significant reduction in the decoding complexity, at the cost 
of a moderate loss in terms of error correction performance. The performance of bit-flipping 
decoding can be easily predicted through theoretical arguments, and this helps dimensioning 
the system, without the need of long numerical simulations. We also consider the most effective 
attack procedures known up to now and estimate analytically their work factor (WF). This way, 
we provide tools that permit the designer to easily find the best set of system parameters to 
optimize the trade-off between security and complexity. 

The paper is organized as follows: in Section JI] we describe the proposed version of QC- 
LDPC codes-based cryptosystem; in Section JII] we describe the encryption and decryption 
algorithms and evaluate their complexity; in Section |IV] we assess the security level of the 
system; finally. Section |V] concludes the paper. 

II. MCELIECE cryptosystem based on QC-LDPC CODES 

The main functions of the McEliece cryptosystem based on QC-LDPC codes are shown in 
Fig. [U QC-LDPC codes with length n = no ■ p, dimension k = (no — l)p and redundancy 
r = p are adopted, where no is a small integer (e.g., no = 3, 4), while p is a large integer (on 
the order of some thousands). For fixed values of the parameters, the private key is formed by 
the sparse parity-check matrix H of one of these codes, randomly chosen, having the following 
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Fig. 1. The McEliece cryptosystem based on QC-LDPC codes. 
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H — [Ho|Hi| . . . |H,„Q_i] 



(1) 



that is, a row of no circulant blocks Hj, each with row (column) weight d^. Without loss of 
generality, we can suppose that H„„_i is non singular; so, a systematic generator matrix for 
the code is G = [I|P], where I represents the /c x A; identity matrix and 



(2) 



where superscript ^ denotes transposition. 

Let us denote by hj, i = . . . ng — 1, the vector containing the positions of symbols 1 in the 
first row of the matrix Hj, i = ... no — 1. It is easy to show that, if all the hj vectors have 
disjoint sets of differences modulo p, the matrix H is free of length-4 cycles in its associated 
Tanner graph. The secret code can be easily constructed by randomly selecting no vectors hj 
with such property. This permits us to obtain large families of codes with identical parameters 
|[T4l . Under the LDPC decoding viewpoint, most of the codes in a family have the same 
properties; so, they show comparable error correction performance when belief propagation 
decoding algorithms are adopted. 

In the QC-LDPC codes-based cryptosystem. Bob chooses a secret QC-LDPC code by gen- 
erating its parity-check matrix, H, and chooses other two secret matrices: a k x k non singular 
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scrambling matrix S and an n x n non singular transformation matrix Q with row/column 
weight m. Then, he obtains a systematic generator matrix G for the secret code, in the form 
G = [I|P], and produces his public key as: 

G' = S^^ • G • Q \ (3) 

The public key is a dense matrix, but, since we adopt QC-LDPC codes, the knowledge of one 
row of each circulant block is sufficient to describe it. We notice that, differently from the 
original McEliece cryptosystem, the public code is not permutation-equivalent to the private 
code. In fact, the permutation matrix used in the original system 11] has been replaced by Q, 
that is a sparse n x n matrix, with rows and columns weight m > 1. This way, the LDPC 
matrix of the secret code (H) is mapped into a new parity-check matrix for the public code: 

H' = H (4) 

and, through a suitable choice of m, the density of H' can be made high enough to avoid 
attacks to the dual code. 

Alice fetches G' from the public directory, divides her message into k-hit words, and applies 
the encryption map as follows: 

X = u • G' + e, (5) 

where x is the ciphertext corresponding to the cleartext u, and e is a random vector of t' 
intentional errors. After receiving x. Bob inverts the transformation as follows: 

x' = X • Q = u • S"^ • G + e • Q, (6) 

thus obtaining a codeword of the secret LDPC code affected by the error vector e • Q, with 
weight < t = t'm. Bob should be able to correct all the errors through LDPC decoding and to 
obtain u • S^^. Finally, he can recover u through multiplication by S. 

We note from Q that the introduction of the matrix Q causes an error propagation effect 
(at most by a factor m) within each received frame. This is compensated by the high error 
correction capability of the QC-LDPC code, that must be able to correct up to t errors. Suitable 
QC-LDPC codes can be designed for such purpose. However, we must also note that, contrary 
to the McEliece cryptosystem based on Goppa codes, which corrects all errors of a certain 
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prescribed weight, the decoding radius of LDPC codes is usually unknown. So, there is a 
small probability that Bob fails to recover the secret message. To prevent such event, different 
procedures can be implemented. First, Bob can make a careful selection of the private code, 
rather than just picking up the first code randomly generated. In fact, the number of codes 
that can be obtained through random-based approaches, like random difference families [14], is 
impressively high. Secondly, when the cryptosystem is used for data transmissions, an automatic 
repeat request (ARQ) protocol can allow Alice to know whether Bob is able to correct all the 
errors she has randomly introduced or not. Indeed, Bob is able to detect uncorrected frames 
through the parity check performed by the LDPC decoder, and, consequently, he can request 
retransmission. In this case, a new random vector is generated by Alice, and the procedure is 
repeated until a correctable error pattern is obtained. In principle, this exposes the system to 
message -resend attacks, but a simple modification of the cryptosystem is known that prevents 
these attacks without significant drawbacks lITTl . Obviously, this additional effort increases the 
latency, but the problem is not serious if the number of errors is properly chosen and controlled. 

III. Encryption, decryption and their complexity 
A. Key size and transmission rate 

In the QC-LDPC codes-based cryptosystem, due to the special form ([T]) of the matrix H, 
the code rate is (no — l)/no. In the following, we will focus on two values of no, namely: 
no = 3,4, which give transmission rates equal to 2/3 and 3/4, respectively. 

The public key is a binary matrix formed by x no circulant blocks, each with size p x p. 
Since each circulant block is completely described by a single row (or column), that is, p bits, 
the public key size is A;o • no • p = (no — 1) ■ no ■ p bits. 



TABLE I 

Public key size expressed in bytes. 



p [bits] 


4096 


5120 


6144 


7168 


8192 


9216 


10240 


11264 


12288 


13312 


14336 


15360 


16384 


no = 3 


3072 


3840 


4608 


5376 


6144 


6912 


7680 


8448 


9216 


9984 


10752 


11520 


12288 


no = 4 


6144 


7680 


9216 


10752 


12288 


13824 


15360 


16896 


18432 


19968 


21504 


23040 


24576 



The values of the key size (expressed in bytes) are reported in Table jlj for no = 3, 4 and 
for a set of values of p that we will consider throughout the paper All choices of the system 
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parameters we have considered give smaller key size and higher transmission rate than those 
of the original McEliece cryptosystem (that has key size 67072 bytes and rate 0.51) Q and its 
Niederreiter version (that has key size 32750 bytes and rate 0.57) IS. 



B. Multiplication by circulant matrices 

A fundamental point for reducing complexity in the considered cryptosystem is to adopt 
efficient algorithms for performing multiplication of a circulant matrix by a vector. 

Since circulant matrices are also Toeplitz matrices, an effective algorithm for fast computation 
of vector-matrix products is the Winograd convolution |fT8|. The Winograd algorithm is a 
generalization of the Karatsuba-Ofman algorithm, that has been reviewed even recently, in 
the perspective to allow fast VLSI implementations |[T9ll . If we consider a pxp Toeplitz matrix 
T, with even p, we can decompose it as follows: 
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where I and are the p/2 x p/2 identity and null matrix, respectively, and To,Ti,T2 are 
p/2 X p/2 Toeplitz matrices, as well as Ti — Tq and T2 — Tq. It follows that the multiplication 
of a vector V = [Vq Vi] by the matrix T can be split into three phases: 

• Evaluation phase: multiplication of V by the first matrix translates into the addition of 
two p/2-bit vectors (Vq and Vi); so, its cost, in terms of binary operations, is p/2. 

• Multiplication phase: the vector resulting from the evaluation phase must be multiplied 
by the second matrix. This translates into 3 vector-matrix products hy p/2 x p/2 Toeplitz 
matrices. If p/2 is even, the three multiplications can be computed in a recursive way, by 
splitting each of them into four p/A x p/A blocks. If p/2 is odd (or sufficiently small to 
make splitting no more advantageous), the vector-matrix multiplication can be performed 
in the traditional way and its complexity is about (p/2)^ /2. 

• Interpolation phase: the result of the multiplication phase must be multiplied by the third 
matrix. This requires 2 additions of p/2-bit vectors, that is, further p binary operations. 

The matrix G' used in the QC-LDPC codes-based cryptosystem is formed by x uq circulant 
blocks with size p x p. When a vector is multiplied by such matrix, we can split the vector 
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into fco-bit subvectors and consider ko-no vector-matrix multiplications. However, we must take 
into account that the evaluation phase on the /cQ-bit subvectors must be performed only once, 
and that further {ko — 1) ■ uq ■ p binary operations are needed for re-combining the result of 
multiplication by each column of circulants. 

C. Encryption operations and complexity 

Encryption is performed by calculating the product u • G' and then adding the intentional 
error vector e. So, the encryption complexity can be estimated by considering the cost of a 
vector-matrix multiplication through the Winograd convolution and adding n binary operations 
for summing the intentional error vector. 

TABLE II 

Binary operations needed for each encrypted bit. 



p [bits] 


4096 


5120 


6144 


7168 


8192 


9216 


10240 


11264 


12288 


13312 


14336 


15360 


16384 


no = 3 


726 


823 


919 


1005 


1092 


1178 


1236 


1351 


1380 


1524 


1510 


1697 


1639 


no = 4 


956 


1081 


1206 


1321 


1437 


1552 


1624 


1783 


1811 


2013 


1984 


2244 


2157 



Table JI] reports the values of the encryption complexity, expressed in terms of the number 
of binary operations needed for each encrypted bit, as a function of the circulant matrix size p, 
for no = 3 and uq = 4. The use of the Winograd convolution is particularly efficient when p 
is a power of 2, since, in such cases, recursion can be exploited to the utmost. 

D. Decryption operations and complexity 

Bob must perform the following three operations for decrypting the received message: 

1) calculate the product x • Q; 

2) decode the secret LDPC code; 

3) calculate the product u' • S. 

Matrices Q and S are formed, respectively, by no x no and x k^ circulant blocks. However, 
while the matrix S is dense, the matrix Q is sparse (with row/column weight m ^ n). So, 
it is advantageous to use the traditional multiplication (requiring n • m binary operations) for 
calculating the product x • Q. On the contrary, the complexity of step 3) can be reduced by 
resorting to the Winograd convolution for efficient multiplication of a vector by a circulant 
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matrix. Concerning step 2), Bob must exploit the secret LDPC matrix to implement a suitable 
decoding algorithm for trying to correct all intentional errors (that are < t = t'm). LDPC 
decoding is usually accomplished through iterative decoding algorithms, which work on the 
code Tanner graph, and implement the belief propagation principle to provide very good error 
correction capability. Among them: the sum-product algorithm (SPA) [20] and the bit-flipping 
(BF) algorithm [21]. The SPA exploits real valued messages and ensures the best performance 
on channels with soft information. When the latter is not available, as it occurs in our case, it 
may be advantageous to use the BF algorithm, which works on binary messages and requires 
very low complexity, though its performance is not as good as that of the SPA. 

The principle of the BF algorithm was devised in Gallager's seminal work for LDPC codes 
with a tree representation 1211 . Given an LDPC parity-check matrix with column weight d^,, the 
variable nodes of its Tanner graph are initially filled with the received codeword bits. During 
an iteration, every check node q sends each neighboring variable node Vj the binary sum of all 
its neighboring variable nodes other than Vj. So, each variable node receives parity-check 
sums. In order to send back a message to each neighboring check node c,, node Vj counts 
the number of unsatisfied parity-check sums from check nodes other than q. Let us denote by 
6 < (it, — 1 a suitably chosen integer; if the number of unsatisfied parity-check sums counted 
by Vj is greater than or equal to h, then Vj flips its value and sends it to q; otherwise, it sends 
its initial value unchanged to Cj. At the next iteration, the check sums are updated with such 
new values, until all of them are satisfied or a maximum number of iterations is reached. 

A relevant issue concerns the choice of b. Two algorithms, commonly named A and B, were 
originally proposed by Gallager 1(211 : in Algorithm A, the value is fixed to 6 = — 1, while 
in Algorithm B it can vary between [(i„/2] and — 1 during decoding ([•] is the ceiling 
function). Algorithm A is simpler to implement, but Algorithm B ensures better performance. 

We have already observed that, differently from algebraic hard-decision codes, the decoding 
radius of LDPC codes is generally unknown. So, numerical simulations are usually exploited 
for estimating their performance, but such approach is time demanding and unpractical for the 
purpose of dimensioning the QC-LDPC codes-based cryptosystem. In the following, we show 
how we can estimate the performance of the BF algorithm, when applied in the considered 
scenario, through theoretical arguments that are very similar to those developed in li22L 



10 



Let us suppose that Bob, after having received the ciphertext, performs decoding through 
Algorithm A. At each iteration of the algorithm, we denote by p^^ the probability that a bit is not 
in error and a generic parity-check equation evaluates it correctly. Instead, p^* is the probability 
that a bit is not in en^or and a parity-check equation evaluates it incorrectly. Similarly, p^'^ and p** 
are the probabilities that a bit is in error and a parity-check equation evaluates it correctly and 
incorrectly, respectively. In the considered context, by using simple combinatorial arguments, 
it is possible to verify that the following expressions hold: 
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where dc = uq ■ dy is the row weight of the matrix H and qi is the average number of residual 
errors after the l-th iteration. It must he qq < t = t'm; we fix qq = t = t'm in order to obtain 
worst-case estimates (maximum error propagation). 

Let us suppose that, after the Z-th iteration, the estimate of a bit is in error. Based on ([8]l, 
we can calculate the probability that, during the subsequent iteration, the message originating 
from its corresponding variable node is correct; this can be expressed as: 

f i^i) = E C^'J ') [p'' [p'' (9) 

j=b 

Similarly, the probability of incorrectly evaluating, in a single iteration of the algorithm, a bit 
that is not in error can be expressed as: 

9' ill) = E i^" " ^) m"^-'-'- (10) 

j=b V / 

Under the ideal assumption of a cycle-free Tanner graph (that implies to consider an infinite- 
length code), the average number of residual bit errors at the l-ih iteration, qi, results in: 

qi=t-t-f {qi_i) + {n-t)-g' {qi_i) . (1 1) 
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Based on this recursive procedure, we can calculate a waterfall threshold by finding the maxi- 
mum value t = tth such that lim (qi) = 0. 

Z— ^-oo 

Actually, different values of tth can be found by different choices of b. So, rather than 
resorting only to Algorithm A (in which b = dy — 1 is fixed), we can also optimize the choice 
of b by looking for the minimum tth for each b ^ {\dy/2] , . . . ,dy — I}. This way, variants of 
Algorithm A with better choices of b can be obtained. For each set of code parameters, we will 
refer to the optimal choice of b in the following. 

TABLE III 

Threshold values for BF decoding with constant b. 



p [bits] 


4096 


5120 


6144 


7168 


8192 


9216 


10240 


11264 


12288 


13312 


14336 


15360 


16384 


no = 3 


dy = 13 

dy — 15 


190 
192 


237 
240 


285 
288 


333 
336 


380 
384 


428 
432 


476 
479 


523 
527 


571 
575 


619 
622 


666 
670 


714 
718 


762 
766 


no = 4 


dy — 13 

dy — 15 


181 
187 


225 
233 


270 
280 


315 
327 


360 
374 


405 
421 


450 
468 


495 
515 


540 
561 


585 
608 


630 
655 


675 
702 


720 
749 



Table |lll] reports the threshold values, so obtained, for several values of the circulant block 
size p, code rates 2/3 (no = 3) and 3/4 (no = 4), and two values of column weight: d^ = 13, 15. 

In more realistic scenarios, with finite code lengths and closed loops in the Tanner graphs, 
also adopting a finite number of decoding iterations, there is no guarantee that the error rate is 
arbitrarily small for t < tth- In this sense, the values in Table HID should be seen as an optimistic 
assumption. However, we can observe that the performance achievable by BF with fixed b can 
be improved in a number of ways. 

One of these improvements has been mentioned above, and consists in using Algorithm B 
(i.e., variable b). On the other hand, more recently, the original Gallager's algorithms have been 
made more efficient through further, and more elaborated, variants ll23l . |[24l . Such improved 
versions reduce the gap in performance with respect to the SPA, which is able to reach extremely 
small error rates for values of t even above the BF threshold tth tZJ- So, taking into account these 
aspects, we can consider the BF threshold values as reliable approximations of the decoding 
radius of the considered QC-LDPC codes. 

As concerns complexity, we can estimate the number of binary operations needed for each 
iteration of the algorithm over the code Tanner graph. During an iteration, each check node 
receives dc binary values and EX-ORs them, for a total of dc — I binary sums. The result is 
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then EX-ORed again with the message coming from each variable node before sending it back 
to the same node, thus requiring further dc binary sums. So, the total number of operations 
at check nodes is r{2dc — 1). Similarly, each variable node receives check sum values and 
counts the number of them that are unsatisfied; this requires d^ operations. After that, for each 
neighboring check node, any variable node updates the number of unsatisfied check sums by 
excluding the message received from that node and compares the result with the threshold b; 
this requires further 2d.u operations. So, the total number of operations at variable nodes is 
n{3dv). In conclusion, the cost of one iteration of bit flipping can be estimated as 

= r {2dc - 1) + n {3dy) = bnd^ - r. (12) 

Based on ([T2l ). and considering the computational effort required for calculating the x - Q and 
u' • S products, we can estimate the total cost, in terms of binary operations, for each decrypted 
bit. The values obtained are reported in Table |IVl where m = 7 has been assumed and a BF 
algorithm with 10 average iterations has been considered. 

TABLE rV 

Binary operations needed for each decrypted bit by using BF decoding. 



p [bits] 


4096 


5120 


6144 


7168 


8192 


9216 


10240 


11264 


12288 


13312 


14336 


15360 


16384 


no = 3 


= 13 
dy = 15 


1476 
1626 


1544 
1694 


1611 
1761 


1668 
1818 


1726 
1876 


1784 
1934 


1827 
1977 


1899 
2049 


1928 
2078 


2014 
2164 


2014 
2164 


2130 
2280 


2101 
2251 


no = 4 


dv = 13 
dy = 15 


1598 
1731 


1694 
1828 


1790 
1924 


1877 
2010 


1963 
2097 


2050 
2183 


2107 
2241 


2223 
2356 


2252 
2385 


2396 
2529 


2381 
2515 


2569 
2702 


2511 
2644 



By using the same parameters, and considering v = 6 quantization bits for the decoder 
messages, we have estimated the decryption complexity with SPA decoding |7|; the results 
are reported in Table |Vl To decode by using the SPA guarantees the best error correction 
performance at the threshold value t = t^h- However, in comparison with Table IIVI the adoption 
of BF decoding gives a significant advantage over the SPA in terms of decryption complexity. 

IV. Security level 
Attacks can be divided into two classes: 
• attacks aimed at recovering the secret code; 
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TABLE V 

Binary operations needed for each decrypted bit by using SPA decoding. 



p [bits] 


4096 


5120 


6144 


7168 


8192 


9216 


10240 


11264 


12288 


13312 


14336 


15360 


16384 


no = 3 


dy = 13 
dv — 15 


9791 
11261 


9859 
11329 


9926 
11396 


9983 
11453 


10041 
11511 


10099 
11569 


10142 
11612 


10214 
11684 


10243 
11713 


10329 
11799 


10329 
11799 


10445 
11915 


10416 
11886 


no = 4 


dy = 13 
dy = 15 


9068 
10375 


9164 
10471 


9260 
10567 


9347 
10653 


9433 
10740 


9520 
10826 


9577 
10884 


9693 
10999 


9722 
11028 


9866 
11172 


9851 
11158 


10039 
11345 


9981 
11288 



• attacks aimed at decrypting the transmitted ciphertext. 
As we have shown in |[T6l . f/l . the proper use of the matrices S and Q to disguise the secret 
code in the public matrix is able to prevent attacks exploiting its sparsity (even within its dual). 
More precisely, the most dangerous attacks of the first type (like the attack to the dual code 
and OTD attacks |[T5l ) can be prevented by choosing a dense S matrix and a sparse Q matrix. 
The latter may have, for example, row and column weight m = 7. 

On the contrary, due to the low weight (t') of the intentional error vector, decoding attacks 
of the second type are more dangerous and, in many cases, provide the smallest WF. 

Decoding attacks aim at solving the decoding problem, that is, obtaining the error vector e 
used for encrypting a ciphertext. A way for finding e is to search for the minimum weight 
codewords of an extended code, generated by: 



G" 



G' 



X 



(13) 



The WF of such attacks can be determined by referring to the Stem's algorithm f25\. More 
precisely, we have used an updated version of this algorithm f26l . that results in minimum WF 
for the class of codes here considered. It must be said that several advances have recently 
appeared in the literature for improving the running time of the best decoding algorithms 
for binary random codes (see |[27l . |[28l . for example). These papers, however, often aim at 
evaluating the performance of information set decoding in asymptotic conditions, i.e., for codes 
with infinite length. Moreover, they cannot be used to estimate the WF in the case of codes with 
finite length, like those of interest in our study. Even the so called "ball collision decoding", 
recently proposed |[29l . is not applicable effectively, as it reduces the WF for rates close to 0.5, 
very long codes and error patterns with large weight; all these conditions do not hold for the 
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codes here of interest and, in fact, the application of f79] does not yield any reduction in the 
WF. 

On the other hand, we must observe that, in the QC-LDPC codes-based cryptosystem, a 
further speedup is obtained by considering that, because of the quasi-cyclic property of the 
codes, each block-wise cyclically shifted version of the ciphertext x is still a valid ciphertext. 
So, the eavesdropper can continue extending G" by adding block-wise shifted versions of x, 
and can search for one among as many shifted versions of the error vector. So, in order to 
estimate the minimum WF, we have considered the optimum number of shifted ciphertexts that 
can be used by an attacker in the generator matrix of the extended code. 



TABLE VI 

Security level of the QC-LDPC codes-based cryptosystem for m = 7. 



p [bits] 


4096 


5120 


6144 


7168 


8192 


9216 


10240 


11264 


12288 


13312 


14336 


15360 


16384 








13 


254 


263 


273 


284 


294 


2105 


2116 


2125 


2135 


2146 


2157 


2161 


2161 


no 


= 3 


dy = 


15 


254 


264 


275 


285 


294 


2105 


2116 


2126 


2137 


2146 


2157 


2168 


2179 


no 




dy = 


13 


260 


273 


285 


298 


2109 


2121 


2134 


2146 


2153 


2154 


2154 


2154 


2154 


= 4 


dy = 


15 


262 


275 


288 


2100 


2113 


2127 


2138 


2152 


2165 


2176 


2176 


2176 


2176 



For each QC-LDPC code, we have calculated the maximum number of intentional errors 
t' = [t/m\ by considering m = 7 and the estimated error connection capability t reported in 
Table Iml 

The minimum WF values, obtained in such conditions, are shown in Table I VII For no = 3, the 
WF of the attack to the dual code, also based on the improved version of the Stem's algorithm, 
is about 2^^^, when dy = 13, and 2^®'^, when dy = 15. So, we have reported the former of 
such values in Table |Vl] for those cases in which the decoding attack WF would be higher. The 
same has been done for no = 4, for which the WF of the attack to the dual code is about 2^^^ 
and 2^''^ for d^ = 13 and dy = 15, respectively. 

In order to give an example of system design, we can consider the parameters of the Goppa 
code suggested in [30] for achieving 80-bit security (i.e., WF = 2^*^), that are: n = 1632, 
k = 1269 and t = 33. They give a key size of 258876 bytes for the McEliece cryptosystem and 
57581 bytes for the Niederreiter version. The encryption and decryption complexity, estimated 
through the formulas in [31 . p. 27], result in 817 and 2472 operations per bit, respectively, for 
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the McEliece cryptosystem and 48 and 7890 operations per bit for the Niederreiter version. The 
transmission rate is 0.78 for the McEliece cryptosystem and 0.63 for the Niederreiter version. 

A similar security level can be reached by the QC-LDPC codes-based cryptosystem with 
no = 4, p = 6144 and = 13. In this case, as reported in Table Jl the public key size is 9216 
bytes, i.e., 28 times smaller than in the McEliece cryptosystem and 6 times smaller than in the 
Niederreiter version. The transmission rate is 0.75, similar to that of the McEliece cryptosystem 
and higher than in the Niederreiter version. The encryption and decryption complexity, as 
reported in Tables HIl and IIV[ are determined by 1206 and 1790 operations per bit, respectively. 
So, complexity increases in the encryption stage, but, by exploiting the BE algorithm, the 
decryption complexity is reduced. 

So, we can conclude that, for achieving the same security level, the QC-LDPC codes-based 
cryptosystem can adopt smaller keys and comparable or higher transmission rates with respect 
to the classical McEUece and Niederreiter cryptosystems. Moreover, this does not come at the 
expense of a significantly increased complexity. 

At the end of this section, it is also interesting to observe that our system is immune against 
a new class of distinguishers for high rate McEliece cryptosystems, recently developed in |[32l . 
According to that approach, the key-recovery problem is transformed into the one of solving an 
algebraic system and, when applicable, the distinguisher permits to recognize a generator matrix 
of the considered code from a randomly picked binary matrix. This transformation cannot be 
applied to the QC-LDPC codes of the type we have considered. Although the existence of 
a distinguisher cannot be considered as a proof of weakness, the non-existence is a further 
argument in favor of the robustness of the QC-LDPC codes-based cryptosystem. 

V. Conclusion 

We have deepened the analysis of a variant of the McEliece cryptosystem using QC-LDPC 
codes in place of Goppa codes. Such modification is aimed at overcoming the main drawbacks 
of the original system, while still allowing to reach a satisfactory security level. 

We have proposed to adopt bit flipping algorithms for decoding the QC-LDPC codes, in 
such a way as to achieve a rather good performance while strongly reducing the decoding 
complexity with respect to the SPA. The adoption of bit flipping decoding has also allowed to 
develop simple analytical tools for estimating the error coiTcction capability of the considered 
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codes, thus simplifying the system design by avoiding the need for long numerical simulations. 
Together with the methods we have described to evaluate complexity, these tools provide the 
system designer a fast procedure for optimizing the choice of the cryptosystem parameters. 
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